Privacy Policy

To run Acuity, we collect the following:

• Account data. Email address (required for sign-in), display name and profile image (if provided via Google OAuth), timezone, reminder time preference.
• Voice recordings. The audio you record in the app, up to 120 seconds per session.
• Transcripts. The text version of each recording, generated automatically from your audio.
• AI-extracted structured data. Mood, energy level, themes, wins, blockers, tasks, goals, and life-area mentions, all derived from your transcript by Claude.
• Subscription state. Your trial status and (if you subscribe) the Stripe-issued customer and subscription identifiers. Payment card details are handled directly by Stripe — we never see them.
• Usage analytics. Anonymous-by-default product analytics (sign-in events, page views, recording counts) so we can understand which parts of the app are working.
• Operational logs. Standard server-side request logs (timestamps, response codes, error stack traces) for debugging and security monitoring.

We collect each category of data only for purposes that the product itself makes obvious:

• Account data → sign you in, send sign-in emails, schedule your reminders.
• Voice recordings → transcribe the audio. Stored so you can play back your own entries.
• Transcripts and AI-extracted data → populate the dashboard, the Life Matrix, and weekly reports.
• Subscription state → gate paid features and process renewals.
• Analytics → understand which features are used, detect outages, prioritise improvements.

We do not use your recordings, transcripts, or extracted data to train AI models. We do not sell or rent your data to anyone.

We rely on a small set of vendors (“subprocessors”) to operate the service. Each one receives only the data it needs to do its job, and each one’s privacy policy applies to the data they handle:

• Anthropic — processes your transcripts to extract structured data and generate weekly narratives via the Claude API. Subprocessor privacy policy: anthropic.com/legal/privacy.
• OpenAI — transcribes your audio via the Whisper API. openai.com/policies/privacy-policy.
• Supabase — hosts our Postgres database and stores your audio files. supabase.com/privacy.
• Stripe — processes subscription payments. Stripe handles your payment-card details directly; Acuity never receives them. stripe.com/privacy.
• Resend — delivers sign-in magic links and transactional email. resend.com/legal/privacy-policy.
• Vercel — hosts and serves the web application. vercel.com/legal/privacy-policy.
• Inngest — orchestrates background jobs that run our AI pipeline. inngest.com/privacy.

We will update this list when we add or remove subprocessors. We do not share data with any party for advertising, marketing, or model-training purposes.

While your account is active, we keep your data for as long as you use the service. When you delete your account from Account → Delete account, we immediately and permanently hard-delete:

• Your account record, sessions, and authentication tokens.
• All your entries, transcripts, tasks, goals, weekly reports, life audits, and life-map data.
• All audio files in our storage bucket under your user ID.
• Your row in our analytics provider (subject to that provider’s deletion API).

Deletion from our application database is immediate. We do not maintain our own backup snapshots that would preserve deleted data. Our infrastructure provider (Supabase) maintains automated database backups for service reliability; those backups age out per their provider-managed schedule and are not under our direct control.

Stripe customer records, when applicable, are deleted via Stripe’s API at the same time as the account deletion. Stripe may retain non-personal financial transaction history independently as legally required for tax and accounting purposes (typically 7 years).

Depending on where you live, you have one or more of the following rights over your personal data. Acuity honours these rights for all users regardless of jurisdiction:

• Right of access (GDPR Art. 15 / CCPA §1798.100) — ask us what personal data we hold about you.
• Right to data portability (GDPR Art. 20) — receive a machine-readable export of your entries, transcripts, and extracted data.
• Right to erasure (GDPR Art. 17 / CCPA §1798.105) — have us delete your account and all associated data.
• Right to rectification — correct inaccurate personal data we hold about you.
• Right to object — opt out of any processing not strictly necessary to provide the service.
• Right to non-discrimination (CCPA) — we will not penalise you for exercising any of the above rights.

To exercise any of these rights, email privacy@getacuity.io. We respond to verified requests within 30 days.

Acuity is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, contact us at privacy@getacuity.io and we will delete the account and any associated data.

• All traffic between your device and our servers is encrypted with TLS 1.2 or higher.
• Database storage and audio file storage are encrypted at rest by our infrastructure provider (Supabase).
• Access to production systems is limited to a small number of authorised operators and is audit-logged.
• We never store payment-card details. Stripe handles those directly with PCI-compliant infrastructure.
• We use a credential-leak pre-commit hook to prevent secrets from entering source control.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you within 72 hours of becoming aware of it (or sooner if required by law in your jurisdiction).

For privacy questions or to exercise any of the rights above:

privacy@getacuity.io

For general support: hello@getacuity.io.

We may update this Privacy Policy from time to time. When we do, we’ll change the “Last updated” date at the top of this page and, for material changes, notify active users by email at least 14 days before the changes take effect.